Welcome!

Cloud Security Authors: Kevin Jackson, Craig Lowell, Pat Romanski, Shelly Palmer, Ed Featherston

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Containers Expo Blog, Agile Computing, Cloud Security

@CloudExpo: Article

Software as a Service (SaaS), Security and Risk Management: Part 1

A SaaS Security roadmap

As cloud computing technologies and offerings mature and evolve in its services to customers, one common consumer use will be that of the Software as a Service (SaaS) model.

My earlier articles have touched on the various models, risks, security and forensics at several levels. There is also a plethora of resources available now that end users can educate themselves with that are freely available online.

This article will focus on aspects of security that impact the SaaS environment as developed, presented or augmented by me for several Cloud Computing projects.

Before we proceed in the subject matter, a brief clarification of what I refer to as the cloud follows. Keep in mind that this term "cloud computing" is now being used to describe a broad range of services to include product descriptors that sits outside the common definition of the cloud.

For ease of reference I will refer to the National Institute of Standards and Technology (NIST) [1] definition of which the following is a part. "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Over the years since the concept of Cloud Computing evolved we have seen an accepted concept of the "Cloud Computing Stack", with its three distinct categories: Software as a Service, Platform as a Service and Infrastructure as a Service; where the IaaS Is the platform upon which PaaS rests and which is turn has SaaS rests moving up from IaaS to SaaS.

It is important to keep this basic stack in mind as the building blocks of the Cloud Computing system and not get distracted by all the "as a Service" spring up across markets as we proceed with this article.

As we move more and more services into the Cloud ecosystem, there will always be concerns regarding security. However a prescriptive combination of both preventive and detective controls at those data centers housing the IaaS ecosystem is on the path to security compliance and event mitigation. These controls, as a step toward better cloud computing security should be assessed and assured to meet industry tested security controls, as well as regulatory and policy requirements. The same format can be modified and applied up the stack to the PaaS segment.

However it is at the SaaS layer that we can perceive additional challenges with cloud security. One critical area of concern stems from the potential risk that a client's data can be exposed to as it is stored within the storage system of its SaaS provider. This risk can potentially increase in the event of the SaaS provider in turn utilizing the services of a third party IaaS provider.

While effective data center security controls are good for inside a data center, web-services or applications outside this area are a growing target for application layer type attacks. This can lead to the loss of critical to sensitive customer data as well as intellectual property and other corporate data.

A challenge for the IT security professional here is how to implement a level of protection that meets IT Security control requirements as well as ensures compliance with information security regulations, E.g. PCI-DSS in the case of transactions via web services.

In both the traditional environments and cloud services infrastructure environments, we have firewalls tweaked and configured with rulebase automation as a best practice. However in the dynamic cloud environment I believe that having to manage firewall signatures for example, amongst other issues could be challenging and counter-productive.

Essentially we would need to implement security in a layered approach which should include the network, servers, databases and coding, augmented by a system that should have a defined security process based on the SaaS environment and its functionality. This should be an additive measure to augment other monitoring and logging systems deployed to secure this environment.

This system should also have the ability to implement tools that will be able to dynamically learn the behavior of an application supported by an automated mechanism, thus removing the need for signatures in the case of firewall systems as mentioned earlier.

Within the SaaS environment we need to ensure adequate security in input validation by SaaS end users, effective user authentication and authorization, proper data segregation with security encapsulation for data in motion using SSL (3.0 or above) or TLS (1.0 above), effective software patching policies and procedures by the SaaS provider working with its software vendors as well as a key generation strategy.

(While SSL/TLS is encryption for data in motion between a Web Server and a browser is a good practice, administrators should disable weak algorithms and ciphers residing on the Web Server).

There must also be assurance for uptime or availability that is formalized in a Service Level Agreement (SLA). Impact on environments supporting the SaaS ecosystem can be attacks impacting Network Security as well as the process for Backup and Recovery.

Researchers Bhadauria and Sanyal [1] stated "Two types of servers are used by SaaS: the Main Consistence Server (MCS) and Domain Consistence Server (DCS). Cache coherence is achieved by the cooperation between MCS and DCS. In SaaS, if the MCS is damaged, or compromised, the control over the cloud environment is lost. Hence securing the MCS is of great importance."

Another concern within this ecosystem is that of cross site scripting attacks that targets Asynchronous JavaScript and XML- AJAX [2].A best practice here would be to have a policy that ensures that all calls are verified with the Web Server and Service to ensure proper authentication and authorization before allowing the request.

Moving away a bit from the technology of security in this environment, Cloud Computing and SaaS on a whole was in its infancy and in some circles denounced as a viable IT service (no names called here, but a tech company leader specializing in databases and now cloud products comes to mind).

In terms of regulations that impact web services and by extension SaaS, we can reference the Gramm-Leach-Bliley Act (GLBA) [3] passed in 1999, Sarbanes-Oxley Act (SOX) in 2002 [4], and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule of 2003[5]. All three of these regulations, although important in their relative environments (e.g. Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), Intellectual Property systems (IPS) and Human Resources Systems), were not crafted to include elements of a SaaS environment then.

As a result there needs to be finite and focused addendums or improvement to these acts as was in the case of SAS 70 to SSAE 16 to meet this technological evolution.

Of importance is that, despite the security measures and attestations provided by a SaaS provider to assure a client of their security controls or compensating controls and compliance processes in place to meet regulatory and security standards; it is still the responsibility of a data owner to maintain industry regulated requirements to comply with confidentiality, integrity, non-repudiation and security control over sensitive to critical information.

So the challenge here is to ensure that a cloud client requirement (Security Policy, Strategy, Data Provenance, Operational and End-User Security) is part of the discussion with the cloud provider and most if not all requirements mirror.

The designation of data classification is part of another topic and should be the influenced by the result of risk impact and gap analysis.

As a closing point the value of vulnerability assessments and penetration tests within the SaaS environment is an important tool for an independent set of eyes to present information that a potential attacker will find and use against the SaaS. This is not only related to technology as is well known due to the rise of social engineering.

References

[1] A Survey on Security Issues in Cloud Computing www.ijcaonline.org › Archives › Volume 47 › Number 18, Rohit Bhadauria; Sugata Sanyal, 2012

[2] Jesse James Garrett (18 February 2005). "Ajax: A New Approach to Web Applications". AdaptivePath.com.

[3] http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

[4] http://www.sec.gov/info/smallbus/404guide/intro.shtml

[5] http://www.hhs.gov/ocr/privacy/

More Stories By Jon Shende

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs. Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise. He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud. Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom. Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point. Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP. A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker. His personal blog is located at http://jonshende.blogspot.com/view/magazine "We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

@ThingsExpo Stories
With an estimated 50 billion devices connected to the Internet by 2020, several industries will begin to expand their capabilities for retaining end point data at the edge to better utilize the range of data types and sheer volume of M2M data generated by the Internet of Things. In his session at @ThingsExpo, Don DeLoach, CEO and President of Infobright, discussed the infrastructures businesses will need to implement to handle this explosion of data by providing specific use cases for filterin...
IoT generates lots of temporal data. But how do you unlock its value? You need to discover patterns that are repeatable in vast quantities of data, understand their meaning, and implement scalable monitoring across multiple data streams in order to monetize the discoveries and insights. Motif discovery and deep learning platforms are emerging to visualize sensor data, to search for patterns and to build application that can monitor real time streams efficiently. In his session at @ThingsExpo, ...
Early adopters of IoT viewed it mainly as a different term for machine-to-machine connectivity or M2M. This is understandable since a prerequisite for any IoT solution is the ability to collect and aggregate device data, which is most often presented in a dashboard. The problem is that viewing data in a dashboard requires a human to interpret the results and take manual action, which doesn’t scale to the needs of IoT.
Internet of @ThingsExpo has announced today that Chris Matthieu has been named tech chair of Internet of @ThingsExpo 2016 Silicon Valley. The 6thInternet of @ThingsExpo will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Much of IT terminology is often misused and misapplied. Modernization and transformation are two such terms. They are often used interchangeably even though they mean different things and have very different connotations. Indeed, it is somewhat safe to assume that in IT any transformative effort is likely to also have a modernizing effect, and thus, we can see these as levels of improvement efforts. However, many businesses are being led to believe if they don’t transform now they risk becoming ...
CenturyLink has announced that application server solutions from GENBAND are now available as part of CenturyLink’s Networx contracts. The General Services Administration (GSA)’s Networx program includes the largest telecommunications contract vehicles ever awarded by the federal government. CenturyLink recently secured an extension through spring 2020 of its offerings available to federal government agencies via GSA’s Networx Universal and Enterprise contracts. GENBAND’s EXPERiUS™ Application...
What does it look like when you have access to cloud infrastructure and platform under the same roof? Let’s talk about the different layers of Technology as a Service: who cares, what runs where, and how does it all fit together. In his session at 18th Cloud Expo, Phil Jackson, Lead Technology Evangelist at SoftLayer, an IBM company, spoke about the picture being painted by IBM Cloud and how the tools being crafted can help fill the gaps in your IT infrastructure.
SYS-CON Events announced today the Enterprise IoT Bootcamp, being held November 1-2, 2016, in conjunction with 19th Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA. Combined with real-world scenarios and use cases, the Enterprise IoT Bootcamp is not just based on presentations but with hands-on demos and detailed walkthroughs. We will introduce you to a variety of real world use cases prototyped using Arduino, Raspberry Pi, BeagleBone, Spark, and Intel Edison. Y...
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
The best-practices for building IoT applications with Go Code that attendees can use to build their own IoT applications. In his session at @ThingsExpo, Indraneel Mitra, Senior Solutions Architect & Technology Evangelist at Cognizant, provided valuable information and resources for both novice and experienced developers on how to get started with IoT and Golang in a day. He also provided information on how to use Intel Arduino Kit, Go Robotics API and AWS IoT stack to build an application tha...
It’s 2016: buildings are smart, connected and the IoT is fundamentally altering how control and operating systems work and speak to each other. Platforms across the enterprise are networked via inexpensive sensors to collect massive amounts of data for analytics, information management, and insights that can be used to continuously improve operations. In his session at @ThingsExpo, Brian Chemel, Co-Founder and CTO of Digital Lumens, will explore: The benefits sensor-networked systems bring to ...
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Identity is in everything and customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
"Tintri was started in 2008 with the express purpose of building a storage appliance that is ideal for virtualized environments. We support a lot of different hypervisor platforms from VMware to OpenStack to Hyper-V," explained Dan Florea, Director of Product Management at Tintri, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Is your aging software platform suffering from technical debt while the market changes and demands new solutions at a faster clip? It’s a bold move, but you might consider walking away from your core platform and starting fresh. ReadyTalk did exactly that. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, will discuss why and how ReadyTalk diverted from healthy revenue and over a decade of audio conferencing product development to start an innovati...
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
Large scale deployments present unique planning challenges, system commissioning hurdles between IT and OT and demand careful system hand-off orchestration. In his session at @ThingsExpo, Jeff Smith, Senior Director and a founding member of Incenergy, will discuss some of the key tactics to ensure delivery success based on his experience of the last two years deploying Industrial IoT systems across four continents.
There will be new vendors providing applications, middleware, and connected devices to support the thriving IoT ecosystem. This essentially means that electronic device manufacturers will also be in the software business. Many will be new to building embedded software or robust software. This creates an increased importance on software quality, particularly within the Industrial Internet of Things where business-critical applications are becoming dependent on products controlled by software. Qua...
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...